Common keytool and openssl commands

Generate root CA private key:

openssl genrsa -des3 -out rootCA.key 2048

Create root CA certificate:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem

Generate private key:

openssl genrsa -des3 -out my-private.key 2048

Create certificate CSR from private key:

openssl req -new -sha256 -key my-private.key -out my-signature-request.csr

Sign certificate by root CA:

openssl x509 -req -in my-signature-request.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-certificate.pem -days 365 -sha256

Create keystore with certificate and private key:

openssl pkcs12 -export -in my-certificate.pem -inkey my-private.key -name my-certificate-alias > keystore.p12

Import one keystore into another:

keytool -importkeystore -srckeystore keystore2.p12 -destkeystore keystore.p12 -srcstoretype pkcs12 -deststoretype pkcs12 -alias my-certificate-alias

Create truststore with root CA

keytool -import -file rootCA.pem -alias rootCA -storetype pkcs12 -keystore truststore.p12

Create self signed certificate (without local rootCA)

openssl x509 -signkey my-private.key -in my-signature-request.csr -req -days 365 -out my-certificate.pem

Remove certificate from keystore

keytool -delete -alias my-certificate-alias -keystore keystore.p12

Import certificate into keystore

keytool -import -trustcacerts -alias my-certificate-alias -file my-certificate.pem -keystore keystore.p12

List keystore content

keytool -list -keystore keystore.p12
Add “-v” to list with details
Add “-alias certificate-alias-name” to view only requested certificate

View content of certificate pem file

openssl x509 -in my-certificate.pem -noout -text

View contents of CSR

openssl req -in my-signature-request.csr -noout -text

Export public key from keystore

keytool -exportcert -rfc -keystore keystore.p12 -alias my-certificate-alias -storetype PKCS12 -file exported-certificate.crt

Import certificate into existing keystore

keytool -importcert -file my-certificate.crt -keystore truststore.p12 -alias my-certificate-alias

About Danas Tarnauskas